Contents

W32/Sober (also known as Sober.A, W32/Sober@mm, W32.HLLM.Odin, I-Sober.A) is a mass-mailing worm discovered on Oct 24th, 2003, and spreads via email attachments with .bat, .com, .exe, .pif or .scr file extensions. Like W32/Swen and others, it propagates using its own SMTP engine, and may claim to be a fix from Microsoft or Antivirus vendors. The email message subject varies, and can be in English or German. The body of the message is also in German or English, and varies as well. The worm sends itself to email addresses found on the victims hard drive, may spoof the "from" address field, masquerading, for instance, as an update from Microsoft. As of Oct 29th, it was affecting mostly Europe, Germany, though it is spreading to other parts of the world.

On first run, it may display a fake "File Not Complete!" message box. As of Oct 27th, all major Antivirus vendors have added its signature to their definition files. Unlike more destructive worms, W32/Sober does not specifically carry a malicious payload, only infecting and multiplying. Sober can infect Windows 95/98/ME, and Windows NT/2000/XP/2003 machines. On infection, W32/Sober copies itself into the Windows System folder and creates a file called similare.exe. It can also drop in files with names such as systemchk.exe, winreg.exe, filexe.exe, antiv.exe, systemini.exe, driverini.exe, or winrea.exe. It also may create random file names with .EXE extensions. It creates two Run registry keys with random labels, and inserts the names so they run automatically when Windows is booted.

Sober loads two copies of itself into memory, and checks to be sure both are running, reloading if necessary. Sober then scans the victim's hard disk for email addresses, typically in .htt, .html, .pst, .doc, .eml, or xls files. The worm is reported to create a file called %System%\Macromed\Help\Media.dll which it uses to store email addresses harvested from local files. Sober uses the harvested email addresses to send copies of itself using its own SMTP engine.

W32.Sober is not a terribly destructive worm, however it is fairly tenacious. Removal is not difficult, you need to be careful to insure you don't get re-infected. Updated definitions from most if not all vendors will let your antivirus scanner clean Sober. You can also download or use online scanners from Trend or McAfee. The basic procedure is as follows.

Step 1. Disable System Restore if you're using Windows Me/XP. When you make changes to your system, Windows does a restoration checkpoint. If it does this while the system is infected, it may come back to reinfect later. For Windows XP or ME

Step 3. Run a full system scan with an updated Antivirus scanner. If your scanner does not remove everything, follow the next few steps.

Step 4. Your antivirus software should, during detection, produce a list of files associated with the W32.Sober virus. Delete all these files. The files will typically be in the Windows system folder, the location of which depends on which version of Windows you're running. Even if the file is not listed, also delete %System%\Macromed\Help\Media.dll (where %system% is your Windows\system folder).

Step 5. Make a backup of the registry before you edit. (Windows 95/98/ME, click here; Windows XP/2000/2003, click here). Delete the Run entries associated with Sober from the registry. These will be either flagged by the Antivirus program, or you can go directly to the keys: